Toshiba and Muji have warned website visitors that suspicious sign-in screens appearing on their sites could harvest credentials, advising anyone who entered login data to change their passwords. The pop-ups were generated by the external polyfill[.]io service, which injected malicious code via its CDN after the domain was bought by a Chinese entity in 2024 - an incident that affected more than 100,000 websites. Japanese outlets report Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi were also hit, and a researcher observed Samsung Smart TVs and sites showing the prompt on June 1. Polyfill is a JavaScript compatibility CDN for legacy browsers; affected sites should remove all polyfill[.]io references immediately.